Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Azure AD System-Preferred Multifactor Authentication is Now Generally Available

Last year, Microsoft introduced the public preview of a system-preferred multifactor authentication (MFA) for Azure Active Directory (Azure AD). The company announced yesterday that the feature is now generally available for all commercial customers.

What is system-preferred MFA authentication?

With system-preferred authentication enabled, Azure AD evaluates all authentication methods registered for a user account, and selects the most secure option available for end users. As shown in the example below, the strongest authentication method is to approve a sign in request on Microsoft Authenticator. In this case, users won’t be able to select any other methods unless the app is unavailable.

“This system prompts the user to sign in with the most secure method they’ve registered and the method that’s enabled by admin policy. This will transition users from choosing a default method to use first to always using the most secure method available. If they can’t use the method they were prompted to use they can choose a different MFA method to sign in,” Microsoft explained.

Azure AD System-Preferred Multifactor Authentication is Now Generally Available

Microsoft explained that the system-preferred MFA feature dynamically chooses the most secure method for user authentication. The company updates the method based on the changes in the “security landscape.” The order of precedence of MFA methods is listed below:

Microsoft to enable system-preferred MFA by default in July

At launch, system-preferred MFA is enabled by default for all Azure AD customers. The company recommends IT admins to enable system-preferred multifactor authentication (MFA) via the Azure Portal or Graph APIs. However, it’s up to the IT Pros to disable the feature for end users in their tenants. Microsoft expects to enforce system-preferred authentication by default for all user accounts in July 2023.

Microsoft has also acknowledged a known issue with system-preferred multifactor authentication (MFA). Currently, the feature doesn’t provide support for FIDO2 security keys on mobile devices and certificate-based authentication (CBA). While Microsoft is working on a fix, it advises IT admins to create an excluded group to disable system-preferred MFA for these end users.

by Rabia Noureen
May 17, 2023

Rabia comes from a solid IT background and has been writing professionally about Microsoft products and other technology for four years. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on the latest trends in...

How to Properly Secure and Govern Microsoft Entra ID Apps

Oct 19, 2023
Apr 17, 2024
Microsoft Entra ID App Registration and Enterprise App Security Explained

Oct 19, 2023
Apr 17, 2024
Five Tactics Towards Achieving Zero Trust with Azure Active Directory

Aug 29, 2023
Feb 01, 2024

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.